I am interested in allowing users to "share" information on my website, say something similar to a bulletin board concept. This is something I've never done before because I know that it could introduce security issues.
I'll likely be using ColdFusion as my scripting language. I'm also familiar with PHP, but am leaning towards CF because of its built-in RichText control. The database back-end will either be MySql or SQLServer.
And so, my question boils down to this: What are the specific security issues and how do I screen user input for them? Does the method of SQL storage have any barring (say VARCHAR vs BLOB)?
We actually use a CMS for the primary pages of our site, and the heart of it uses a database vs actual files on the system. So for most of the content on our site, we actually have HTML which is being retrieved from a database.
For example
blurb.bodywill equal something like'<p>This is a body paragraph</p>'
Then one thing we seem to run into sometimes is a character encoding error. It seems like if someone copies some text into the CMS with a " ' " or something, there isn't anything that will convert it automatically to a '.
But yes, you should be able to do it. Just make sure whatever filtering you do going into the database is reversed correctly on its way out.